ThreatFox: Vidar IOCs | SOC Hunt Feed

Hunt Hypothesis

The ThreatFox: Vidar IOCs rule detects potential adversary activity associated with the Vidar malware, which is known for exfiltrating sensitive data and establishing persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats before they cause significant data loss or operational disruption.

IOC Summary

Malware Family: Vidar Total IOCs: 16 IOC Types: domain, url

Type	Value	Threat Type	First Seen	Confidence
url	`hxxps://psy.gessoflex.com.br/`	botnet_cc	2026-04-25	100%
domain	`psy.gessoflex.com.br`	botnet_cc	2026-04-25	100%
url	`hxxps://loja.lauricoco.com.br/`	payload_delivery	2026-04-25	75%
url	`hxxps://sergemoulypeintre.fr/`	payload_delivery	2026-04-25	75%
url	`hxxps://asoandes.org/`	payload_delivery	2026-04-25	75%
url	`hxxps://leslieporterfield.com/`	payload_delivery	2026-04-25	75%
url	`hxxps://lauricoco.com.br/`	payload_delivery	2026-04-25	75%
url	`hxxps://praiahall.com.br/`	payload_delivery	2026-04-25	75%
url	`hxxps://cleanpoweraustralia.com.au/`	payload_delivery	2026-04-25	75%
url	`hxxps://congresswcc.com/`	payload_delivery	2026-04-25	75%
url	`hxxps://coca.com.sg/`	payload_delivery	2026-04-25	75%
url	`hxxps://nutrionline.club/`	payload_delivery	2026-04-25	75%
url	`hxxps://soareintl.com/`	payload_delivery	2026-04-24	75%
url	`hxxps://pliage.ru/`	payload_delivery	2026-04-24	75%
url	`hxxps://mundialpostos.com.br/`	payload_delivery	2026-04-24	75%
url	`hxxps://smashclubburgers.com/`	payload_delivery	2026-04-24	75%

KQL: Domain Hunt

// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["psy.gessoflex.com.br"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc

KQL: Url Hunt

// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://psy.gessoflex.com.br/", "https://loja.lauricoco.com.br/", "https://sergemoulypeintre.fr/", "https://asoandes.org/", "https://leslieporterfield.com/", "https://lauricoco.com.br/", "https://praiahall.com.br/", "https://cleanpoweraustralia.com.au/", "https://congresswcc.com/", "https://coca.com.sg/", "https://nutrionline.club/", "https://soareintl.com/", "https://pliage.ru/", "https://mundialpostos.com.br/", "https://smashclubburgers.com/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc

Required Data Sources

Sentinel Table	Notes
`DnsEvents`	Ensure this data connector is enabled
`UrlClickEvents`	Ensure this data connector is enabled

References

ThreatFox — Vidar

False Positive Guidance

Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches one of the Vidar IOCs (e.g., a PowerShell script used for system cleanup).
Filter/Exclusion: process.name != "schtasks.exe" OR process.args NOT LIKE "*clean*" OR process.name NOT IN ("task scheduler", "schtasks")
Scenario: Admin Performing Log Collection via PowerShell
Description: An admin uses PowerShell to collect logs, which may include commands or paths that match Vidar IOCs (e.g., Get-EventLog, Export-Clixml).
Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE "*log*" OR process.user NOT IN ("Domain\Administrator", "Domain\Helpdesk")
Scenario: Antivirus Quarantine Scan
Description: An antivirus tool quarantines a file that matches a Vidar IOC, causing a false positive during a scan.
Filter/Exclusion: process.name NOT IN ("Windows Defender", "MsMpEng.exe") OR process.args NOT LIKE "*quarantine*"
Scenario: Database Backup Job Using SQLCMD
Description: A database backup job uses sqlcmd to execute scripts that may contain strings matching Vidar IOCs.
Filter/Exclusion: process.name != "sqlcmd.exe" OR process.args NOT LIKE "*backup*" OR process.user NOT IN ("Domain\DBA", "Domain\DBA_Group")
Scenario: Network Monitoring Tool Generating Traffic
Description: A network monitoring tool (e.g., Wireshark, PRTG) generates traffic that matches a Vidar IOC due to legitimate network activity.
Filter/Exclusion: `process.name NOT IN (“Wi